Bluenoroff’s RustBucket campaign
2023-05-22 • SEKOIA •
Sekoia.io analyzes Bluenoroff’s RustBucket activity as North Korea-nexus, financially motivated targeting of cryptocurrency, venture-capital, and related entities. The macOS chain installs a backdoored but functional PDF reader and requires a matching key PDF to decrypt C2 configuration and trigger a backdoor that profiles the host, contacts its C2 over HTTP POST, and requests commands. The report also identifies a Windows RustBucket variant using a fake PDF viewer with DevExpress components, DLL loading, antivirus checks, and process injection, showing Bluenoroff expanding cross-platform malware delivery around investment-themed lures.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7fccc871c889a4f4c13a977fdd5f062… | 2023-05-22 | 2023-06-29 |
| HASH | ec8f97d5595d92ec678ffbf5ae1f60c… | 2023-05-22 | 2023-06-29 |
| HASH | 9ca914b1cfa8c0ba021b9e00bda71f3… | 2023-05-22 | 2023-06-29 |
| IPv4 | 104.168.167.88 | 2023-05-22 | 2023-06-29 |
| IPv4 | 104.255.172.56 | 2023-02-16 | 2023-06-06 |
| IPv4 | 172.93.181.221 | 2023-02-16 | 2023-06-06 |
| IPv4 | 155.138.159.45 | 2022-12-27 | 2023-06-06 |
| YARA | apt_Bluenoroff_downloader_win_c… | 2023-05-22 | 2023-05-22 |
| YARA | apt_Bluenoroff_downloader_mac_R… | 2023-05-22 | 2023-05-22 |
| HASH | c28e4031129f3e6e5c6fbd7b1cebd8d… | 2023-05-22 | 2023-05-22 |
| HASH | 62a5c6a600051bca4f7b3d11508ca1f… | 2023-05-22 | 2023-05-22 |
| HASH | 3b6f30369a4ee8bf9409d141b6d1b3f… | 2023-05-22 | 2023-05-22 |
| HASH | 5ca7c871dfe24b27b5cf7e9bf087f44… | 2023-05-22 | 2023-05-22 |
| HASH | 46db9f2fc879bf643a8f05e2b35879b… | 2023-05-22 | 2023-05-22 |
| HASH | f603713bffb9e040bedfd0bb675ff5a… | 2023-05-22 | 2023-05-22 |
| HASH | 5072b28399c874f92e71793fa13207d… | 2023-05-22 | 2023-05-22 |
| HASH | f90b544f89cfbe38aee18024d7c39e40 | 2023-05-22 | 2023-05-22 |
| HASH | 529c65521e8a07c8810b6d225f7e2a89 | 2023-05-22 | 2023-05-22 |
| HASH | 31cec2803bfc7750930d58644003887… | 2023-05-22 | 2023-05-22 |
| HASH | 0d6964fe763c2e6404cde68af2c5f86… | 2023-05-22 | 2023-05-22 |
| HASH | 5f00106f7f15e0ca00df4dbb0eeccd5… | 2023-05-22 | 2023-05-22 |
| HASH | 606bce13161693844b9eb36c96554883 | 2023-05-22 | 2023-05-22 |
| HASH | ca86579220eecfaede268d1520d07fae | 2023-05-22 | 2023-05-22 |
| HASH | 3ed9f34fedca38130776e5adabae363… | 2023-05-22 | 2023-05-22 |
| HASH | ebad7317e1b01c2231bdbf37dfebdf6… | 2023-05-22 | 2023-05-22 |
| HASH | 3f0d5ddca2657044f4763ae53c4f33c… | 2023-05-22 | 2023-05-22 |
| HASH | ff8832355ae99ffd66d0fe9eda2d74e… | 2023-05-22 | 2023-05-22 |
| HASH | b93d7b7b30207249c1c683df16bad107 | 2023-05-22 | 2023-05-22 |
| HASH | 07d206664a8d397273e69ce37ef7cf9… | 2023-05-22 | 2023-05-22 |
| HASH | b448381f244dc0072abd4f52e01ca93… | 2023-05-22 | 2023-05-22 |
| HASH | ea5fac3201a09c3c5c3701723ea9a5f… | 2023-05-22 | 2023-05-22 |
| HASH | d6d367453c513445313be7339666e4f… | 2023-05-22 | 2023-05-22 |
| HASH | 7c66d2d75be43d2c17e75d37c39344a… | 2023-05-22 | 2023-05-22 |
| HASH | 5c483473641807082e530744023044fd | 2023-05-22 | 2023-05-22 |
| HASH | 6ca3a2f4cef27dac9d28c1ec2b29a8f… | 2023-05-22 | 2023-05-22 |
| HASH | ba5e982596fd03bea98f5de96c1258e… | 2023-05-22 | 2023-05-22 |
| HASH | 4e05597d308d2368625dc19e86a9ca22 | 2023-05-22 | 2023-05-22 |
| HASH | b68bf400a23b1053f54911a2b826d34… | 2023-05-22 | 2023-05-22 |
| HASH | e2f177b8806923f21a93952b61aedbe… | 2023-05-22 | 2023-05-22 |
| HASH | 61772375af1884fe73c5d154b8637dd… | 2023-05-22 | 2023-05-22 |
| HASH | 83f457bc81514ec5e3ea123fc237811… | 2023-05-22 | 2023-05-22 |
| HASH | dda8a9e2a2e415be781a39fdf41f155… | 2023-05-22 | 2023-05-22 |
| HASH | b3cb7d0b656e8e4852def8548d2cf1e… | 2023-05-22 | 2023-05-22 |
| DOMAIN | sarahbeery.docsend.me | 2023-05-22 | 2023-05-22 |
| IPv4 | 172.86.121.143 | 2023-05-22 | 2023-05-22 |
| IPv4 | 104.255.172.52 | 2023-05-22 | 2023-05-22 |
| IPv4 | 149.248.52.31 | 2023-05-22 | 2023-05-22 |
| IPv4 | 104.234.147.28 | 2023-05-22 | 2023-05-22 |
| IPv4 | 104.156.149.130 | 2023-05-22 | 2023-05-22 |
| IPv4 | 104.168.138.7 | 2023-05-22 | 2023-05-22 |
| HASH | bea33fb3205319868784c028418411e… | 2023-05-12 | 2023-05-22 |
| HASH | 8e234482db790fa0a3d2bf5f7084ec4… | 2023-05-12 | 2023-05-22 |
| HASH | 9525f5081a5a7ab7d35cf2fb2d7524e… | 2023-05-01 | 2023-05-22 |
| HASH | 7981ebf35b5eff8be2f3849c8f3085b… | 2023-05-01 | 2023-05-22 |
| HASH | c56a97efd6d3470e14193ac9e194fa4… | 2023-05-01 | 2023-05-22 |
| HASH | 38106b043ede31a66596299f17254d3… | 2023-05-01 | 2023-05-22 |
| HASH | f8800dd176487601ccf2e27c094b297b | 2023-04-27 | 2023-05-22 |
| HASH | e74e8cdf887ae2de25590c55cb52dad… | 2023-04-27 | 2023-05-22 |
| IPv4 | 172.86.122.181 | 2023-02-16 | 2023-05-22 |
| IPv4 | 104.168.174.80 | 2022-12-27 | 2023-05-22 |
| IPv4 | 149.28.247.34 | 2022-12-27 | 2023-05-22 |
| IPv4 | 152.89.247.87 | 2022-12-27 | 2023-05-22 |
| IPv4 | 172.86.121.130 | 2022-12-27 | 2023-05-22 |
| IPv4 | 155.138.219.140 | 2022-08-17 | 2023-05-22 |
Related Actors
Related Reports
Shares tags: Bluenoroff, macOS, RustBucket • Shares 3 IOCs • Published within a month
Shares tags: Bluenoroff, macOS, RustBucket • Shares 2 IOCs • Published within a month
Shares tags: Bluenoroff, macOS, RustBucket • Shares 4 IOCs
Shares tags: Bluenoroff, macOS, RustBucket
Shares tags: Bluenoroff, macOS, RustBucket
Shares tags: Bluenoroff, macOS, RustBucket